5 Replies Latest reply on Dec 8, 2011 5:48 AM by jkwheeler

    Do I need to do a clean install because I might have undetected malware?

      Hi!

       

      Was having trouble with Windows Update not working.  After much discussion with an agent on Microsoft's community forum, the agent said I had malware and that I should just do a clean install of Windows.  I don't want to do a reinstall for a variety of reasons but I will do it as a last resort.  I thought I would ask you all if you thought I had malware and whether I can remove it before I hauled off and did the clean install.

       

      I list the details below.  Anyone have any thoughts?  Thanks!

       

      jkwheeler

       

      ----- Details -----

       

      • Windows XP Media Center Edition Version 2002 SP3
      • McAfee Security Center v11.0, has VirusScan v15.0, DAT 6549.0000, Engine v5400.1158 (I have autoupdate turned on and working)
      • Ran a full scan in safe mode with networking.  No problems reported.  All zeros in the report.
      • Ran Stinger in safe mode with networking.  Sensitivity level "Very High" with "Report only."  Here is the report:

       

      McAfee(r) Labs Stinger(tm) Version 10.2.0.408 built on Dec  2 2011
      Copyright (c) 2011 McAfee, Inc. All Rights Reserved.
      Virus data file v1000.0000 created on Dec 2 2011.
      Ready to scan for 3515 viruses, trojans and variants.

      Scan initiated on Sun Dec 04 17:26:15 2011
      Rootkit scan result : Not Scanned


        Master Boot Record(s):....1
        Possibly Infected:.............0
        Boot Sector(s):.................1
        Possibly Infected: ............0

        Number of clean files: 18534


      Mmmm... I see the line that says "Rootkit scan result : Not Scanned."  Do I need to do something to get Stinger to give a rootkit scan result?  Does this mean Stinger did not scan for rootkits?

       

      • Stinger also created a file called vscan.bof.  Do you want me to attach that file in another post?
      • Ran GetSusp in safe mode with networking.  GetSusp created a log called GetSusp.xml.  Do you want me to attach that file in another post?
      • Previously, I posted to Malwarebytes forum.  Their agent went through a lot of details and decided I did not have malware.  But, the Microsoft agent still thought I had undetected malware even though VirusScan said "no" and the Malwarebytes agent said "no."  The Malwarebytes thread is at:
        http://forums.malwarebytes.org/index.php?showtopic=95006
        Note that on the Malwarebytes discussion I mentioned a network problem.  That problem is resolved now so you probably can ignore that part.
        • 1. Re: Do I need to do a clean install because I might have undetected malware?
          Hayton

          "Windows Update not working".   Any other signs of a malware infection?

           

          Only post the logs if Getsusp and Stinger had something to report.

           

          Try downloading and running Microsoft's Baseline Security Analyzer, and see what it says. There may perhaps be a Microsoft FixIt for this problem, but MBSA will give you an overview of your security situation and any missing updates.

          • 2. Re: Do I need to do a clean install because I might have undetected malware?

            I should have time to run MBSA after work sometime in the next few days.

             

            GetSusp marked a few files as "suspect" and it also marked a few files as ""unknown."  Would you like for me to post the GetSusp XML report?  I'm not posting from the affected PC right now so I cannot post the report right this minute.

             

            Is there any issue with Stinger not scanning for rootkits?

            • 3. Re: Do I need to do a clean install because I might have undetected malware?
              Hayton

              Anything to report from running MBSA?

               

              As for Stinger, there are two. I take it the one you ran was the normal Stinger, not the Fake AV Stinger? The normal Stinger has a checkbox for rootkit checking - if you read the user guide you will see it on the screenshot of the Preferences window. Where did you download Stinger from?

               

              Back to the original problem(s). Best way to check for malware is to run a free scan with a couple of other tools. You've already used Malwarebytes, so I suggest Microsoft's Safety Scanner. It can be run for up to 10 days after downloading. As for the Windows Update problem, there is one post on a microsoft forum here and a Microsoft KB article here which contain fixes which might be worth a try.

               

              Edit - There's a Microsoft Fixit which might help :

              Cannot install updates from Windows Update.png

               

              Also, have you got Update Rollup 2? See http://support.microsoft.com/kb/900325

               

              Message was edited by: Hayton on 07/12/11 03:32:53 GMT
              • 4. Re: Do I need to do a clean install because I might have undetected malware?

                Thanks for sticking with me.  I've simply been busy this week and have not had time to try MBSA.

                 

                I got Stinger from

                http://service.mcafee.com/faqdocument.aspx?id=TS100815&lang=en_US&prior_tid=2&An swerID=16777216&turl==http%3A%2F%2Fkb.mcafee.com%2Finfocenter%2Findex%3Fpage%3Dc ontent%26id%3DTS100815%26actp%3Dsearch%26viewlocale%3Den_US

                 

                I'll look at Stinger again when I get time to see if rootkit scanning is turned on.  The user guide I navigate to from the link above is the same link you have in your post.

                 

                I'll also try Microsoft's safety scanner.

                 

                I've tried some of the Windows update fixes already.  I first want to convince myself that I don't have malware and then I want to get back to the Windows update issue.

                 

                Again thanks for sticking with me.  I have not abandoned this effort.  I've just been very busy with my job and other things.

                • 5. Re: Do I need to do a clean install because I might have undetected malware?

                  New Stinger report with Windows running in normal mode instead of safe mode.  I made sure the rootkit box was checked.

                   

                  McAfee(r) Labs Stinger(tm) Version 10.2.0.419 built on Dec  7 2011
                  Copyright (c) 2011 McAfee, Inc. All Rights Reserved.
                  Virus data file v1000.0000 created on Dec 7 2011.
                  Ready to scan for 3690 viruses, trojans and variants.

                  Scan initiated on Wed Dec 07 18:50:04 2011

                    Master Boot Record(s):....1
                    Possibly Infected:.............0
                    Boot Sector(s):.................1
                    Possibly Infected: ............0

                    Number of clean files: 18635

                   

                  Seems to show no issues.

                   

                  Also ran Microsoft Safety Scanner.  It said it ran successfully and found no problems.

                   

                  With these results, can we reliably say that the PC has no malware?  I'm still concerned that the GetSusp report called some files "suspicious."  I still can attach the GetSusp.xml file if you like.

                   

                  If you think that I really don't have malware, then I can set out to try the Windows Update fixes that you listed that I have not already tried.  Should I open a new discussion thread for that?  If so, which community discussion should I use?  Note that I have not shared all the symptoms the PC has of not running Windows Update so I would need to share those details.

                   

                  I also ran MBSA.  I pasted in the report below.

                   

                  The MBSA report starts off saying that it cannot scan for security updates because it cannot load the securityCAB file.  Is that because Windows Update is hosed?

                   

                  MBSA also said that there were incomplete updates and that I needed to reboot to complete the updates.  That surprised me because the last Windows update before the updater stopped running was back in August.  I've rebooted lots of times since August, including.  Just for grins, I rebooted after I saw this item in the MBSA report and got the same result.  The attached report is the one I ran after rebooting.

                   

                  I'm also surprised MBSA complained that Windows Firewall was not running.  I thought MBSA would have detected that the McAfee Firewall was running and not complained.

                   

                  Thoughts?  Thanks!

                   

                  ----- Begin MBSA report ------

                   

                  Security assessment: Incomplete Scan
                  Computer name: WORKGROUP\COMPUTER2
                  IP address: 192.168.1.103
                  Security report name: WORKGROUP - COMPUTER2 (12-7-2011 7-58 PM)
                  Scan date: 12/7/2011 7:58 PM
                  Scanned with MBSA version: 2.2.2170.0
                  Catalog synchronization date: 2011-11-23T00:16:31Z


                    Security Updates Scan Results

                      Issue:  Security Updates
                      Score:  Unable to scan
                      Result: Cannot load security CAB file.


                    Operating System Scan Results

                      Administrative Vulnerabilities
                   
                      Issue:  Local Account Password Test
                      Score:  Check passed
                      Result: No user accounts have simple passwords.
                      Detail:
                     | User | Weak Password | Locked Out | Disabled |
                     | Guest | - | - | Disabled |
                     | HelpAssistant | - | - | Disabled |
                     | SUPPORT_388945a0 | - | - | Disabled |
                     | Administrator | - | - | - |
                     | David | - | - | - |

                      Issue:  File System
                      Score:  Check passed
                      Result: All hard drives (1) are using the NTFS file system.
                      Detail:
                     | Drive Letter | File System |
                     | C: | NTFS |

                      Issue:  Password Expiration
                      Score:  Check not performed
                      Result: This check was skipped because the computer is not joined to a domain.

                      Issue:  Guest Account
                      Score:  Check passed
                      Result: The Guest account is disabled on this computer.

                      Issue:  Autologon
                      Score:  Check not performed
                      Result: This check was skipped because the computer is not joined to a domain.

                      Issue:  Restrict Anonymous
                      Score:  Check passed
                      Result: Computer is properly restricting anonymous access.

                      Issue:  Administrators
                      Score:  Check passed
                      Result: No more than 2 Administrators were found on this computer.
                      Detail:
                     | User |
                     | Administrator |
                     | David |

                      Issue:  Windows Firewall
                      Score:  Best practice
                      Result: Windows Firewall is disabled and has exceptions configured.
                      Detail:
                     | Connection Name | Firewall | Exceptions |
                     | All Connections | Off | Programs |
                     | Local Area Connection 4 | Off* | Programs* |

                      Issue:  Automatic Updates
                      Score:  Check failed (critical)
                      Result: The Automatic Updates system service is not running.

                      Issue:  Incomplete Updates
                      Score:  Best practice
                      Result: No incomplete software update installations were found.

                  Additional System Information
                   
                      Issue:  Windows Version
                      Score:  Best practice
                      Result: Computer is running Microsoft Windows XP.

                      Issue:  Auditing
                      Score:  Best practice
                      Result: This check was skipped because the computer is not joined to a domain.

                      Issue:  Shares
                      Score:  Best practice
                      Result: 2 share(s) are present on your computer.
                      Detail:
                     | Share | Directory | Share ACL | Directory ACL |
                     | ADMIN$ | C:\WINDOWS | Admin Share | BUILTIN\Users -  RX, BUILTIN\Power Users -  RWXD, BUILTIN\Administrators -  F, NT AUTHORITY\SYSTEM -  F |
                     | C$ | C:\ | Admin Share | BUILTIN\Administrators -  F, NT AUTHORITY\SYSTEM -  F, BUILTIN\Users -  RX, Everyone -  RX |

                      Issue:  Services
                      Score:  Best practice
                      Result: Some potentially unnecessary services are installed.
                      Detail:
                     | Service | State |
                     | Telnet | Stopped |


                    Internet Information Services (IIS) Scan Results
                  IIS is not running on this computer.

                    SQL Server Scan Results

                     Instance MICROSOFTBCM

                      Administrative Vulnerabilities
                   
                      Issue:  SQL Server/MSDE Security Mode
                      Score:  Check failed (non-critical)
                      Result: SQL Server and/or MSDE authentication mode is set to SQL Server and/or MSDE and Windows (Mixed Mode).

                      Issue:  Exposed SQL Server/MSDE Password
                      Score:  Check passed
                      Result: The 'sa' password and SQL service account password are not exposed in text files.

                      Issue:  CmdExec role
                      Score:  Check passed
                      Result: CmdExec is restricted to sysadmin only.

                      Issue:  Registry Permissions
                      Score:  Check failed (critical)
                      Result: The Everyone group has more than Read access to the SQL Server and/or MSDE registry keys.

                      Issue:  Folder Permissions
                      Score:  Check passed
                      Result: Permissions on the SQL Server and/or MSDE installation folders are set properly.

                      Issue:  Sysadmin role members
                      Score:  Best practice
                      Result: BUILTIN\Administrators group should not be part of sysadmin role.

                      Issue:  Guest Account
                      Score:  Check passed
                      Result: The Guest account is not enabled in any of the databases.

                      Issue:  Sysadmins
                      Score:  Check passed
                      Result: No more than 2 members of sysadmin role are present.

                      Issue:  SQL Server/MSDE Account Password Test
                      Score:  Check passed
                      Result: No SQL user accounts have weak passwords.

                      Issue:  Service Accounts
                      Score:  Best practice
                      Result: SQL Server, SQL Server Agent, MSDE and/or MSDE Agent service accounts should not be members of the local Administrators group or run as LocalSystem.
                      Detail:
                     | Instance | Service | Account | Issue |
                     | MICROSOFTBCM | MSSQL$MICROSOFTBCM | SYSTEM | LocalSystem account. |
                     | MICROSOFTBCM | SQLAgent$MICROSOFTBCM | SYSTEM | LocalSystem account. |


                    Desktop Application Scan Results

                  Administrative Vulnerabilities
                   
                      Issue:  IE Zones
                      Score:  Check passed
                      Result: Internet Explorer zones have secure settings for all users.

                      Issue:  Macro Security
                      Score:  Check passed
                      Result: 4 Microsoft Office product(s) are installed. No issues were found.
                      Detail:
                     | Issue | User | Advice |
                     | Microsoft Office Excel 2003 | All Users | No security issues were found. |
                     | Microsoft Office Outlook 2003 | All Users | No security issues were found. |
                     | Microsoft Office PowerPoint 2003 | All Users | No security issues were found. |
                     | Microsoft Office Word 2003 | All Users | No security issues were found. |

                   

                  ----- End MBSA report -----